projekte/edgeguard-native
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(routes): Static-Routes-Management + Live-View (Networks-Tab)

Browse Source 
Migration 0019: static_routes (id, destination, gateway, dev, metric,
table_name, active, comment).

internal/services/staticroutes/:
  - CRUD-Repo
  - Generator schreibt /etc/edgeguard/routes.conf (pipe-format) und
    triggert `sudo systemctl restart edgeguard-routes.service`
  - LiveAll() ruft `ip -j route show table all` und parsed JSON

internal/handlers/routes.go:
  GET /api/v1/routes           — managed (DB)
  POST/PUT/DELETE              — CRUD (re-render + apply on mutate)
  GET /api/v1/routes/live      — kernel-state via ip(8)

postinst:
  - /usr/sbin/edgeguard-apply-routes (root-owned shell-script). Liest
    routes.conf, flusht `proto 250` (= edgeguard), setzt neue Routen
    mit proto 250. Andere Quellen (kernel/dhcp/manuell) bleiben
    unangetastet.
  - /etc/systemd/system/edgeguard-routes.service (Type=oneshot,
    After=network-online.target). Beim Boot automatisch via
    multi-user.target.
  - /etc/iproute2/rt_protos.d/edgeguard.conf — Symbol "edgeguard" =
    250 damit `ip route show proto edgeguard` funktioniert.
    (Debian 13 hat kein /etc/iproute2 default → .d-Pattern statt
    rt_protos-Anhängen.)
  - sudoers: edgeguard ALL=(root) NOPASSWD: /usr/bin/systemctl
    restart edgeguard-routes.service

UI: Networks-Page jetzt mit Tabs (Interfaces + Routen). Routes-Tab
hat zwei Cards:
  - Live-Routen (read-only, 30s refresh, `proto edgeguard` farblich
    hervorgehoben)
  - Verwaltete Routen (CRUD-Tabelle, Add/Edit-Modal mit destination/
    gateway/dev/metric/table/active/comment)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Debian
2026-05-12 23:50:26 +02:00
parent dbc14a24a4
commit b031725dfe
14 changed files with 1162 additions and 275 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
VERSION
View File

@@ -1 +1 @@
1.0.65 1.0.67

5
cmd/edgeguard-api/main.go
View File

@@ -45,13 +45,14 @@ import (
ntpsvc "git.netcell-it.de/projekte/edgeguard-native/internal/services/ntp" ntpsvc "git.netcell-it.de/projekte/edgeguard-native/internal/services/ntp"
"git.netcell-it.de/projekte/edgeguard-native/internal/services/routingrules" "git.netcell-it.de/projekte/edgeguard-native/internal/services/routingrules"
"git.netcell-it.de/projekte/edgeguard-native/internal/services/secrets" "git.netcell-it.de/projekte/edgeguard-native/internal/services/secrets"
"git.netcell-it.de/projekte/edgeguard-native/internal/services/staticroutes"
"git.netcell-it.de/projekte/edgeguard-native/internal/services/session" "git.netcell-it.de/projekte/edgeguard-native/internal/services/session"
"git.netcell-it.de/projekte/edgeguard-native/internal/services/setup" "git.netcell-it.de/projekte/edgeguard-native/internal/services/setup"
"git.netcell-it.de/projekte/edgeguard-native/internal/services/tlscerts" "git.netcell-it.de/projekte/edgeguard-native/internal/services/tlscerts"
wgsvc "git.netcell-it.de/projekte/edgeguard-native/internal/services/wireguard" wgsvc "git.netcell-it.de/projekte/edgeguard-native/internal/services/wireguard"
) )
var version = "1.0.65" var version = "1.0.67"
func main() { func main() {
addr := os.Getenv("EDGEGUARD_API_ADDR") addr := os.Getenv("EDGEGUARD_API_ADDR")
@@ -183,6 +184,8 @@ func main() {
handlers.NewRoutingRulesHandler(routingRepo, auditRepo, nodeID, haproxyReloader).Register(authed) handlers.NewRoutingRulesHandler(routingRepo, auditRepo, nodeID, haproxyReloader).Register(authed)
handlers.NewNetworksHandler(ifsRepo, ipsRepo, fwZones, auditRepo, nodeID).Register(authed) handlers.NewNetworksHandler(ifsRepo, ipsRepo, fwZones, auditRepo, nodeID).Register(authed)
handlers.NewIPAddressesHandler(ipsRepo, auditRepo, nodeID).Register(authed) handlers.NewIPAddressesHandler(ipsRepo, auditRepo, nodeID).Register(authed)
handlers.NewRoutesHandler(staticroutes.New(pool), staticroutes.NewGenerator(pool),
auditRepo, nodeID).Register(authed)
handlers.NewClusterHandler(clusterStore, nodeID).Register(authed) handlers.NewClusterHandler(clusterStore, nodeID).Register(authed)
handlers.NewAuditHandler(auditRepo).Register(authed) handlers.NewAuditHandler(auditRepo).Register(authed)
handlers.NewHAProxyStatsHandler().Register(authed) handlers.NewHAProxyStatsHandler().Register(authed)

2
cmd/edgeguard-ctl/main.go
View File

@@ -9,7 +9,7 @@ import (
"os" "os"
) )
var version = "1.0.65" var version = "1.0.67"
const usage = `edgeguard-ctl — EdgeGuard CLI const usage = `edgeguard-ctl — EdgeGuard CLI

2
cmd/edgeguard-scheduler/main.go
View File

@@ -25,7 +25,7 @@ import (
"git.netcell-it.de/projekte/edgeguard-native/internal/services/tlscerts" "git.netcell-it.de/projekte/edgeguard-native/internal/services/tlscerts"
) )
var version = "1.0.65" var version = "1.0.67"
const ( const (
// renewTickInterval — how often we re-evaluate expiring certs. // renewTickInterval — how often we re-evaluate expiring certs.

39
internal/database/migrations/0019_static_routes.sql Normal file
View File

@@ -0,0 +1,39 @@
-- +goose Up
-- +goose StatementBegin
-- Static routes — managed durch EdgeGuard, geschrieben in
-- /etc/edgeguard/routes.conf und appliziert via `ip route … proto
-- edgeguard`. Markierung mit Protocol-ID 250 (in der apply-script
-- gemappt) damit der Operator manuell-gesetzte Routen im Kernel
-- erkennt und nicht beim flush wegradiert.
--
-- destination: CIDR ("10.0.5.0/24" oder "0.0.0.0/0").
-- gateway: IPv4/v6 oder NULL (für on-link via dev).
-- dev: interface name (optional; bei Gateway-only kann ip das
-- selbst auflösen, aber explizit ist besser).
-- metric: Priorität — niedriger gewinnt (default 100).
-- table: routing table name oder "main" (default).
CREATE TABLE IF NOT EXISTS static_routes (
id BIGSERIAL PRIMARY KEY,
destination TEXT NOT NULL,
gateway TEXT,
dev TEXT,
metric INTEGER NOT NULL DEFAULT 100,
table_name TEXT NOT NULL DEFAULT 'main',
active BOOLEAN NOT NULL DEFAULT TRUE,
comment TEXT,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
CONSTRAINT static_routes_metric_check CHECK (metric >= 0 AND metric <= 65535)
);
CREATE INDEX IF NOT EXISTS idx_static_routes_active ON static_routes (active) WHERE active;
CREATE INDEX IF NOT EXISTS idx_static_routes_dest ON static_routes (destination);
-- +goose StatementEnd
-- +goose Down
-- +goose StatementBegin
DROP TABLE IF EXISTS static_routes;
-- +goose StatementEnd

128
internal/handlers/routes.go Normal file
View File

@@ -0,0 +1,128 @@
package handlers
import (
"context"
"errors"
"log/slog"
"strconv"
"github.com/gin-gonic/gin"
"git.netcell-it.de/projekte/edgeguard-native/internal/handlers/response"
"git.netcell-it.de/projekte/edgeguard-native/internal/services/audit"
"git.netcell-it.de/projekte/edgeguard-native/internal/services/staticroutes"
)
// RoutesHandler exposes:
//
// GET /api/v1/routes — verwaltete Routen aus DB
// POST /api/v1/routes — anlegen
// PUT /api/v1/routes/:id — ändern
// DELETE /api/v1/routes/:id — löschen
// GET /api/v1/routes/live — Live-Routen vom Kernel (ip -j route)
type RoutesHandler struct {
Repo *staticroutes.Repo
Renderer *staticroutes.Generator
Audit *audit.Repo
NodeID string
}
func NewRoutesHandler(repo *staticroutes.Repo, gen *staticroutes.Generator,
a *audit.Repo, nodeID string) *RoutesHandler {
return &RoutesHandler{Repo: repo, Renderer: gen, Audit: a, NodeID: nodeID}
}
func (h *RoutesHandler) Register(rg *gin.RouterGroup) {
g := rg.Group("/routes")
g.GET("", h.List)
g.POST("", h.Create)
g.PUT("/:id", h.Update)
g.DELETE("/:id", h.Delete)
g.GET("/live", h.Live)
}
func (h *RoutesHandler) reload(ctx context.Context, op string) {
if h.Renderer == nil {
return
}
if err := h.Renderer.Render(ctx); err != nil {
slog.Warn("routes: render+apply failed", "op", op, "error", err)
}
}
func (h *RoutesHandler) List(c *gin.Context) {
out, err := h.Repo.List(c.Request.Context())
if err != nil {
response.Internal(c, err)
return
}
response.OK(c, gin.H{"routes": out})
}
func (h *RoutesHandler) Create(c *gin.Context) {
var req staticroutes.Route
if err := c.ShouldBindJSON(&req); err != nil {
response.BadRequest(c, err)
return
}
out, err := h.Repo.Create(c.Request.Context(), req)
if err != nil {
response.Internal(c, err)
return
}
_ = h.Audit.Log(c.Request.Context(), actorOf(c), "route.create", out.Destination, out, h.NodeID)
response.Created(c, out)
h.reload(c.Request.Context(), "create")
}
func (h *RoutesHandler) Update(c *gin.Context) {
id, ok := parseID(c)
if !ok {
return
}
var req staticroutes.Route
if err := c.ShouldBindJSON(&req); err != nil {
response.BadRequest(c, err)
return
}
out, err := h.Repo.Update(c.Request.Context(), id, req)
if err != nil {
if errors.Is(err, staticroutes.ErrNotFound) {
response.NotFound(c, err)
return
}
response.Internal(c, err)
return
}
_ = h.Audit.Log(c.Request.Context(), actorOf(c), "route.update", out.Destination, out, h.NodeID)
response.OK(c, out)
h.reload(c.Request.Context(), "update")
}
func (h *RoutesHandler) Delete(c *gin.Context) {
id, ok := parseID(c)
if !ok {
return
}
if err := h.Repo.Delete(c.Request.Context(), id); err != nil {
if errors.Is(err, staticroutes.ErrNotFound) {
response.NotFound(c, err)
return
}
response.Internal(c, err)
return
}
_ = h.Audit.Log(c.Request.Context(), actorOf(c), "route.delete",
strconv.FormatInt(id, 10), gin.H{"id": id}, h.NodeID)
response.NoContent(c)
h.reload(c.Request.Context(), "delete")
}
func (h *RoutesHandler) Live(c *gin.Context) {
routes, err := staticroutes.LiveAll(c.Request.Context())
if err != nil {
response.Internal(c, err)
return
}
response.OK(c, gin.H{"routes": routes})
}

280
internal/services/staticroutes/staticroutes.go Normal file
View File

@@ -0,0 +1,280 @@
// Package staticroutes verwaltet die static_routes-Tabelle, schreibt
// /etc/edgeguard/routes.conf und triggert das Apply-Skript via
// `sudo systemctl reload-or-restart edgeguard-routes.service`.
//
// Live-Routen (was der Kernel aktuell hat) liest /api/v1/routes/live
// direkt via `ip -j route` — kein DB-Roundtrip nötig.
package staticroutes
import (
"bytes"
"context"
"encoding/json"
"errors"
"fmt"
"os/exec"
"strings"
"github.com/jackc/pgx/v5"
"github.com/jackc/pgx/v5/pgxpool"
"git.netcell-it.de/projekte/edgeguard-native/internal/configgen"
)
var ErrNotFound = errors.New("route not found")
// ConfPath ist der Pfad der vom apply-Skript gelesen wird. Postinst
// erzeugt das Skript (/usr/sbin/edgeguard-apply-routes) und die
// systemd-Unit (edgeguard-routes.service Type=oneshot).
const ConfPath = "/etc/edgeguard/routes.conf"
type Repo struct {
Pool *pgxpool.Pool
}
func New(pool *pgxpool.Pool) *Repo { return &Repo{Pool: pool} }
type Route struct {
ID int64 `json:"id"`
Destination string `json:"destination"`
Gateway *string `json:"gateway,omitempty"`
Dev *string `json:"dev,omitempty"`
Metric int `json:"metric"`
TableName string `json:"table_name"`
Active bool `json:"active"`
Comment *string `json:"comment,omitempty"`
}
const baseSelect = `
SELECT id, destination, gateway, dev, metric, table_name, active, comment
FROM static_routes
`
func (r *Repo) List(ctx context.Context) ([]Route, error) {
rows, err := r.Pool.Query(ctx, baseSelect+
" ORDER BY metric ASC, destination ASC, id ASC")
if err != nil {
return nil, err
}
defer rows.Close()
out := []Route{}
for rows.Next() {
var x Route
if err := rows.Scan(&x.ID, &x.Destination, &x.Gateway, &x.Dev,
&x.Metric, &x.TableName, &x.Active, &x.Comment); err != nil {
return nil, err
}
out = append(out, x)
}
return out, rows.Err()
}
func (r *Repo) Get(ctx context.Context, id int64) (*Route, error) {
row := r.Pool.QueryRow(ctx, baseSelect+" WHERE id = $1", id)
var x Route
if err := row.Scan(&x.ID, &x.Destination, &x.Gateway, &x.Dev,
&x.Metric, &x.TableName, &x.Active, &x.Comment); err != nil {
if errors.Is(err, pgx.ErrNoRows) {
return nil, ErrNotFound
}
return nil, err
}
return &x, nil
}
func (r *Repo) Create(ctx context.Context, x Route) (*Route, error) {
if x.Metric == 0 {
x.Metric = 100
}
if x.TableName == "" {
x.TableName = "main"
}
row := r.Pool.QueryRow(ctx, `
INSERT INTO static_routes (destination, gateway, dev, metric, table_name, active, comment)
VALUES ($1, $2, $3, $4, $5, $6, $7)
RETURNING id, destination, gateway, dev, metric, table_name, active, comment`,
x.Destination, x.Gateway, x.Dev, x.Metric, x.TableName, x.Active, x.Comment)
var out Route
if err := row.Scan(&out.ID, &out.Destination, &out.Gateway, &out.Dev,
&out.Metric, &out.TableName, &out.Active, &out.Comment); err != nil {
return nil, err
}
return &out, nil
}
func (r *Repo) Update(ctx context.Context, id int64, x Route) (*Route, error) {
if x.Metric == 0 {
x.Metric = 100
}
if x.TableName == "" {
x.TableName = "main"
}
row := r.Pool.QueryRow(ctx, `
UPDATE static_routes SET
destination = $1, gateway = $2, dev = $3, metric = $4,
table_name = $5, active = $6, comment = $7, updated_at = NOW()
WHERE id = $8
RETURNING id, destination, gateway, dev, metric, table_name, active, comment`,
x.Destination, x.Gateway, x.Dev, x.Metric, x.TableName, x.Active, x.Comment, id)
var out Route
if err := row.Scan(&out.ID, &out.Destination, &out.Gateway, &out.Dev,
&out.Metric, &out.TableName, &out.Active, &out.Comment); err != nil {
if errors.Is(err, pgx.ErrNoRows) {
return nil, ErrNotFound
}
return nil, err
}
return &out, nil
}
func (r *Repo) Delete(ctx context.Context, id int64) error {
tag, err := r.Pool.Exec(ctx, `DELETE FROM static_routes WHERE id = $1`, id)
if err != nil {
return err
}
if tag.RowsAffected() == 0 {
return ErrNotFound
}
return nil
}
// Render schreibt /etc/edgeguard/routes.conf und triggert das
// apply-Skript via sudo. Aufruf-Pattern wie andere Renderer
// (configgen.AtomicWrite + ReloadService).
type Generator struct {
Pool *pgxpool.Pool
Repo *Repo
Out string
}
func NewGenerator(pool *pgxpool.Pool) *Generator {
return &Generator{Pool: pool, Repo: New(pool), Out: ConfPath}
}
func (g *Generator) Render(ctx context.Context) error {
routes, err := g.Repo.List(ctx)
if err != nil {
return fmt.Errorf("list: %w", err)
}
var buf bytes.Buffer
buf.WriteString("# Generated by edgeguard-api — DO NOT EDIT.\n")
buf.WriteString("# Read by /usr/sbin/edgeguard-apply-routes on `systemctl restart\n")
buf.WriteString("# edgeguard-routes.service`. Format: destination|gateway|dev|metric|table\n")
buf.WriteString("# (pipe-delimited; empty fields stay empty). Lines beginning with '#'\n")
buf.WriteString("# are ignored. proto edgeguard → safe für `ip route flush proto edgeguard`.\n")
for _, r := range routes {
if !r.Active {
continue
}
gw := ""
if r.Gateway != nil {
gw = *r.Gateway
}
dev := ""
if r.Dev != nil {
dev = *r.Dev
}
fmt.Fprintf(&buf, "%s|%s|%s|%d|%s\n",
sanitize(r.Destination), sanitize(gw), sanitize(dev),
r.Metric, sanitize(r.TableName))
}
if err := configgen.AtomicWrite(g.Out, buf.Bytes(), 0o644); err != nil {
return fmt.Errorf("write %s: %w", g.Out, err)
}
// Apply — sudo systemctl restart edgeguard-routes.service. Failures
// loggen wir; das File ist geschrieben, ein retry über die UI ist
// trivial.
if err := applyRoutes(ctx); err != nil {
return fmt.Errorf("apply: %w", err)
}
return nil
}
func applyRoutes(_ context.Context) error {
// Whitelist in postinst: sudo -n /usr/bin/systemctl restart
// edgeguard-routes.service
cmd := exec.Command("sudo", "-n", "/usr/bin/systemctl",
"restart", "edgeguard-routes.service")
out, err := cmd.CombinedOutput()
if err != nil {
return fmt.Errorf("systemctl restart edgeguard-routes.service: %s: %w",
strings.TrimSpace(string(out)), err)
}
return nil
}
// sanitize verhindert dass ein Operator-eingegebenes Feld den Pipe-
// Separator brechen kann. Bei legitimen IP/CIDR-Strings kein Effekt.
func sanitize(s string) string {
s = strings.ReplaceAll(s, "|", "")
s = strings.ReplaceAll(s, "\n", "")
return strings.TrimSpace(s)
}
// LiveRoute ist die UI-Sicht auf `ip -j route show`. Wir parsen das
// JSON da rein damit das Frontend nicht selbst regex'en muss.
type LiveRoute struct {
Destination string `json:"destination"`
Gateway string `json:"gateway,omitempty"`
Dev string `json:"dev,omitempty"`
Protocol string `json:"protocol,omitempty"`
Scope string `json:"scope,omitempty"`
Source string `json:"src,omitempty"`
Metric int `json:"metric,omitempty"`
Table string `json:"table,omitempty"`
Flags []string `json:"flags,omitempty"`
}
// ipRouteRaw mirrors `ip -j route`'s shape. Felder die uns nicht
// interessieren ignoriert der JSON-Decoder.
type ipRouteRaw struct {
Dst string `json:"dst"`
Gateway string `json:"gateway"`
Dev string `json:"dev"`
Protocol string `json:"protocol"`
Scope string `json:"scope"`
PrefSrc string `json:"prefsrc"`
Metric int `json:"metric"`
Table string `json:"table"`
Flags []string `json:"flags"`
}
// LiveAll ruft `ip -j route show table all` auf und gibt die geparste
// Liste zurück. Liest stdout direkt — kein File-Buffering.
func LiveAll(ctx context.Context) ([]LiveRoute, error) {
cmd := exec.CommandContext(ctx, "/usr/sbin/ip", "-j", "route", "show", "table", "all")
out, err := cmd.Output()
if err != nil {
// Manche Distros haben ip in /sbin oder /bin — fallback via PATH.
cmd = exec.CommandContext(ctx, "ip", "-j", "route", "show", "table", "all")
out, err = cmd.Output()
if err != nil {
return nil, fmt.Errorf("ip -j route: %w", err)
}
}
// Wenn ip -j leeres Array liefert kommt "[]" — sauber parsen.
out = bytes.TrimSpace(out)
if len(out) == 0 || bytes.Equal(out, []byte("[]")) {
return []LiveRoute{}, nil
}
var raw []ipRouteRaw
if err := json.Unmarshal(out, &raw); err != nil {
return nil, fmt.Errorf("parse ip -j: %w", err)
}
res := make([]LiveRoute, 0, len(raw))
for _, r := range raw {
res = append(res, LiveRoute{
Destination: r.Dst,
Gateway: r.Gateway,
Dev: r.Dev,
Protocol: r.Protocol,
Scope: r.Scope,
Source: r.PrefSrc,
Metric: r.Metric,
Table: r.Table,
Flags: r.Flags,
})
}
return res, nil
}

2
management-ui/src/components/Layout/Sidebar.tsx
View File

@@ -78,7 +78,7 @@ const NAV: NavSection[] = [
}, },
] ]
const VERSION = '1.0.65' const VERSION = '1.0.67'
// Sidebar-Pattern 1:1 aus netcell-webpanel (enconf) übernommen: // Sidebar-Pattern 1:1 aus netcell-webpanel (enconf) übernommen:
// - <nav> als root, dunkler Gradient + Teal/Blue-Accent // - <nav> als root, dunkler Gradient + Teal/Blue-Accent

38
management-ui/src/i18n/locales/de/common.json
View File

@@ -114,8 +114,12 @@
} }
}, },
"networks": { "networks": {
"title": "Netzwerk-Interfaces", "title": "Netzwerk",
"intro": "Verwalte WAN-, LAN-, VLAN- und Bond-Interfaces. Read-only-Discovery der Kernel-Interfaces oben; deklarierte Konfiguration unten — runtime-Apply via systemd-networkd folgt in einem späteren Release.", "intro": "Interfaces (Ethernet/VLAN/Bond/Bridge) und Static-Routes. Live-Discovery + deklarative Konfiguration aus der DB.",
"tabs": {
"interfaces": "Interfaces",
"routes": "Routen"
},
"systemDiscovered": "System-Interfaces (read-only)", "systemDiscovered": "System-Interfaces (read-only)",
"addInterface": "Interface hinzufügen", "addInterface": "Interface hinzufügen",
"editInterface": "Interface bearbeiten", "editInterface": "Interface bearbeiten",
@@ -622,6 +626,36 @@
"cta": "Jetzt aktivieren →", "cta": "Jetzt aktivieren →",
"openPage": "Lizenz-Seite öffnen →" "openPage": "Lizenz-Seite öffnen →"
}, },
"routes": {
"liveTitle": "Live-Routen (Kernel)",
"liveIntro": "Aktueller Zustand aus `ip -j route show table all`. proto edgeguard markiert von EdgeGuard verwaltete Routen — andere Quellen (kernel/static/dhcp) bleiben unberührt.",
"liveEmpty": "Keine Routen im Kernel.",
"managedTitle": "Verwaltete Routen",
"managedIntro": "Statische Routen, die EdgeGuard via `ip route … proto edgeguard` beim Boot setzt. Änderung hier triggert sofort `systemctl restart edgeguard-routes.service`.",
"add": "Route hinzufügen",
"addTitle": "Statische Route anlegen",
"editTitle": "Statische Route bearbeiten",
"empty": "Keine verwalteten Routen.",
"confirmDelete": "Route nach {{dest}} wirklich löschen?",
"refreshTooltip": "Live-Routen neu laden",
"destExtra": "CIDR — z.B. 10.0.5.0/24 oder 0.0.0.0/0 für Default-Route.",
"gatewayExtra": "Optional. Leer = on-link via dev.",
"devExtra": "Output-Interface. Bei Gateway-only kann ip das auflösen, explizit ist aber stabiler.",
"metricExtra": "Niedriger gewinnt. Default 100. Standard-Linux-Defaults: dhcp 1024, kernel-link 0.",
"tableExtra": "Routing-Table. main = Standard. Custom-Tables via /etc/iproute2/rt_tables.",
"col": {
"destination": "Ziel",
"gateway": "Gateway",
"dev": "Interface",
"metric": "Metric",
"table": "Table",
"active": "Aktiv",
"comment": "Kommentar",
"proto": "Protokoll",
"scope": "Scope",
"src": "Quell-IP"
}
},
"backups": { "backups": {
"title": "Backups", "title": "Backups",
"intro": "Sicherungen der PostgreSQL-Datenbank + /var/lib/edgeguard (Setup, License, JWT, ACME-Account). Täglicher Auto-Job + manueller Trigger.", "intro": "Sicherungen der PostgreSQL-Datenbank + /var/lib/edgeguard (Setup, License, JWT, ACME-Account). Täglicher Auto-Job + manueller Trigger.",

38
management-ui/src/i18n/locales/en/common.json
View File

@@ -114,8 +114,12 @@
} }
}, },
"networks": { "networks": {
"title": "Network interfaces", "title": "Network",
"intro": "Manage WAN, LAN, VLAN and bond interfaces. Read-only kernel discovery above; declared configuration below — runtime apply via systemd-networkd lands in a later release.", "intro": "Interfaces (Ethernet / VLAN / bond / bridge) and static routes. Live kernel discovery + declared configuration from the DB.",
"tabs": {
"interfaces": "Interfaces",
"routes": "Routes"
},
"systemDiscovered": "System interfaces (read-only)", "systemDiscovered": "System interfaces (read-only)",
"addInterface": "Add interface", "addInterface": "Add interface",
"editInterface": "Edit interface", "editInterface": "Edit interface",
@@ -622,6 +626,36 @@
"cta": "Activate now →", "cta": "Activate now →",
"openPage": "Open license page →" "openPage": "Open license page →"
}, },
"routes": {
"liveTitle": "Live routes (kernel)",
"liveIntro": "Current state from `ip -j route show table all`. proto edgeguard marks routes managed by EdgeGuard — other sources (kernel/static/dhcp) are left untouched.",
"liveEmpty": "No routes in kernel.",
"managedTitle": "Managed routes",
"managedIntro": "Static routes EdgeGuard installs via `ip route … proto edgeguard` on boot. Changes here trigger `systemctl restart edgeguard-routes.service` immediately.",
"add": "Add route",
"addTitle": "Add static route",
"editTitle": "Edit static route",
"empty": "No managed routes yet.",
"confirmDelete": "Really delete route to {{dest}}?",
"refreshTooltip": "Reload live routes",
"destExtra": "CIDR — e.g. 10.0.5.0/24 or 0.0.0.0/0 for the default route.",
"gatewayExtra": "Optional. Empty = on-link via dev.",
"devExtra": "Output interface. Optional if gateway resolves; explicit is more stable.",
"metricExtra": "Lower wins. Default 100. Linux defaults: dhcp 1024, kernel-link 0.",
"tableExtra": "Routing table. main = default. Custom tables via /etc/iproute2/rt_tables.",
"col": {
"destination": "Destination",
"gateway": "Gateway",
"dev": "Interface",
"metric": "Metric",
"table": "Table",
"active": "Active",
"comment": "Comment",
"proto": "Protocol",
"scope": "Scope",
"src": "Source IP"
}
},
"backups": { "backups": {
"title": "Backups", "title": "Backups",
"intro": "Snapshots of the PostgreSQL database + /var/lib/edgeguard (setup, license, JWT, ACME account). Daily auto job + manual trigger.", "intro": "Snapshots of the PostgreSQL database + /var/lib/edgeguard (setup, license, JWT, ACME account). Daily auto job + manual trigger.",

277
management-ui/src/pages/Networks/Interfaces.tsx Normal file
View File

@@ -0,0 +1,277 @@
import { useState } from 'react'
import { Button, Card, Form, Input, InputNumber, Modal, Select, Space, Switch, Tag, Tooltip, Typography, message } from 'antd'
import type { ColumnsType } from 'antd/es/table'
import { PlusOutlined } from '@ant-design/icons'
import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
import { useTranslation } from 'react-i18next'
import DataTable from '../../components/DataTable'
import ActionButtons from '../../components/ActionButtons'
import StatusDot from '../../components/StatusDot'
import apiClient, { isEnvelope } from '../../api/client'
interface NetworkInterface {
id: number
name: string
type: 'ethernet' | 'vlan' | 'bond' | 'bridge' | 'wireguard'
parent?: string | null
vlan_id?: number | null
members: string[]
role: string
mtu?: number | null
active: boolean
description?: string | null
created_at: string
updated_at: string
}
interface IfaceFormValues {
name: string
type: NetworkInterface['type']
parent?: string
vlan_id?: number
members?: string[]
role: string
mtu?: number
active: boolean
description?: string
}
interface SystemInterface {
ifname: string
link_type?: string
address?: string
flags?: string[]
addr_info?: Array<{ family: 'inet' | 'inet6'; local: string; prefixlen: number }>
}
async function listInterfaces(): Promise<NetworkInterface[]> {
const r = await apiClient.get('/network-interfaces')
if (!isEnvelope(r.data)) return []
return (r.data.data as { interfaces?: NetworkInterface[] }).interfaces ?? []
}
async function listSystemInterfaces(): Promise<SystemInterface[]> {
const r = await apiClient.get('/system/interfaces')
if (!isEnvelope(r.data)) return []
return (r.data.data as { interfaces?: SystemInterface[] }).interfaces ?? []
}
interface FwZone { id: number; name: string; description?: string | null; builtin: boolean }
async function listZones(): Promise<FwZone[]> {
const r = await apiClient.get('/firewall/zones')
if (!isEnvelope(r.data)) return []
return (r.data.data as { zones?: FwZone[] }).zones ?? []
}
export default function InterfacesTab() {
const { t } = useTranslation()
const qc = useQueryClient()
const { data: ifs, isLoading } = useQuery({ queryKey: ['network-interfaces'], queryFn: listInterfaces })
const { data: sys } = useQuery({ queryKey: ['system', 'interfaces'], queryFn: listSystemInterfaces, refetchInterval: 60_000 })
const { data: zones } = useQuery({ queryKey: ['fw-zones'], queryFn: listZones })
const [editing, setEditing] = useState<NetworkInterface | null>(null)
const [creating, setCreating] = useState(false)
const [form] = Form.useForm<IfaceFormValues>()
const create = useMutation({
mutationFn: async (v: IfaceFormValues) => { await apiClient.post('/network-interfaces', v) },
onSuccess: () => {
message.success(t('common.save'))
setCreating(false); form.resetFields()
void qc.invalidateQueries({ queryKey: ['network-interfaces'] })
},
})
const update = useMutation({
mutationFn: async ({ id, v }: { id: number; v: IfaceFormValues }) => { await apiClient.put(`/network-interfaces/${id}`, v) },
onSuccess: () => {
message.success(t('common.save'))
setEditing(null); form.resetFields()
void qc.invalidateQueries({ queryKey: ['network-interfaces'] })
},
})
const del = useMutation({
mutationFn: async (id: number) => { await apiClient.delete(`/network-interfaces/${id}`) },
onSuccess: () => { void qc.invalidateQueries({ queryKey: ['network-interfaces'] }) },
})
// Stable colour palette for role tags. Builtin zones get a fixed
// colour; custom zones cycle through the palette by name hash so
// the same custom zone always shows up in the same shade.
const PALETTE = ['blue', 'green', 'orange', 'purple', 'magenta', 'cyan', 'gold', 'volcano', 'geekblue']
const FIXED: Record<string, string> = { wan: 'blue', lan: 'green', dmz: 'orange', mgmt: 'purple', cluster: 'magenta' }
const roleColor = (r: string): string => {
if (FIXED[r]) return FIXED[r]
let h = 0
for (let i = 0; i < r.length; i++) h = (h * 31 + r.charCodeAt(i)) >>> 0
return PALETTE[h % PALETTE.length]
}
const columns: ColumnsType<NetworkInterface> = [
{ title: t('networks.name'), dataIndex: 'name', key: 'name', render: (s: string) => <code>{s}</code> },
{ title: t('networks.type'), dataIndex: 'type', key: 'type' },
{
title: t('networks.composition'), key: 'composition',
render: (_, row) => {
if (row.type === 'vlan') return <span><code>{row.parent}</code>.{row.vlan_id}</span>
if (row.type === 'bridge' || row.type === 'bond') {
return <Space size={4} wrap>{(row.members ?? []).map((m) => <Tag key={m}>{m}</Tag>)}</Space>
}
return '—'
},
},
{
title: t('networks.role'), dataIndex: 'role', key: 'role',
render: (r: string) => <Tag color={roleColor(r)}>{r.toUpperCase()}</Tag>,
},
{ title: t('networks.mtu'), dataIndex: 'mtu', key: 'mtu', render: (v?: number) => v ?? '—' },
{ title: t('networks.active'), dataIndex: 'active', key: 'active', render: (v: boolean) => <StatusDot active={v} /> },
{
title: t('common.actions'), key: 'actions',
render: (_, row) => (
<ActionButtons
onEdit={() => {
setEditing(row)
form.setFieldsValue({
name: row.name, type: row.type, parent: row.parent ?? undefined,
vlan_id: row.vlan_id ?? undefined, members: row.members ?? [],
role: row.role,
mtu: row.mtu ?? undefined, active: row.active,
description: row.description ?? undefined,
})
}}
onDelete={() => del.mutate(row.id)}
deleteConfirm={t('networks.deleteConfirm', { name: row.name })}
/>
),
},
]
return (
<div>
<Card title={t('networks.systemDiscovered')} className="mb-12" size="small">
<Space wrap>
{(sys ?? []).map((i) => {
const v4 = (i.addr_info ?? []).filter((a) => a.family === 'inet').map((a) => `${a.local}/${a.prefixlen}`)
const v6 = (i.addr_info ?? []).filter((a) => a.family === 'inet6').map((a) => `${a.local}/${a.prefixlen}`)
return (
<Tooltip key={i.ifname} title={[...v4, ...v6].join(' · ') || '—'}>
<Tag>{i.ifname}{v4[0] ? ` · ${v4[0]}` : ''}</Tag>
</Tooltip>
)
})}
{(sys ?? []).length === 0 && <Typography.Text type="secondary"></Typography.Text>}
</Space>
</Card>
<DataTable
rowKey="id"
loading={isLoading}
dataSource={ifs ?? []}
columns={columns}
extraActions={
<Button type="primary" icon={<PlusOutlined />} onClick={() => {
setCreating(true); form.resetFields()
form.setFieldsValue({ type: 'ethernet', role: 'lan', active: true })
}}>
{t('networks.addInterface')}
</Button>
}
/>
<Modal
title={editing ? t('networks.editInterface') : t('networks.addInterface')}
open={editing !== null || creating}
onCancel={() => { setEditing(null); setCreating(false) }}
onOk={() => { void form.submit() }}
confirmLoading={create.isPending || update.isPending}
width={560}
>
<Form
form={form}
layout="vertical"
onFinish={(v) => {
if (editing) update.mutate({ id: editing.id, v })
else create.mutate(v)
}}
>
<Form.Item label={t('networks.name')} name="name" rules={[{ required: true }]}>
<Input placeholder="eth0 / eth0.100 / bond0" />
</Form.Item>
<Form.Item label={t('networks.type')} name="type" rules={[{ required: true }]}>
<Select options={[
{ value: 'ethernet', label: 'ethernet' },
{ value: 'vlan', label: 'vlan' },
{ value: 'bond', label: 'bond' },
{ value: 'bridge', label: 'bridge' },
{ value: 'wireguard',label: 'wireguard' },
]} />
</Form.Item>
<Form.Item noStyle shouldUpdate={(p, c) => p.type !== c.type}>
{({ getFieldValue }) => {
const tp = getFieldValue('type') as NetworkInterface['type'] | undefined
const sysOptions = (sys ?? [])
.filter((i) => i.ifname !== 'lo')
.map((i) => ({ value: i.ifname, label: i.ifname }))
if (tp === 'vlan') {
return (
<>
<Form.Item label={t('networks.parent')} name="parent" rules={[{ required: true }]}>
<Select placeholder={t('networks.selectParent')} showSearch options={sysOptions} />
</Form.Item>
<Form.Item label={t('networks.vlanId')} name="vlan_id" rules={[{ required: true }]}>
<InputNumber min={1} max={4094} style={{ width: '100%' }} />
</Form.Item>
</>
)
}
if (tp === 'bridge' || tp === 'bond') {
return (
<Form.Item
label={t('networks.members')}
name="members"
rules={[{ required: true, type: 'array', min: 1, message: t('networks.membersRequired') }]}
extra={tp === 'bridge' ? t('networks.membersHintBridge') : t('networks.membersHintBond')}
>
<Select
mode="multiple"
placeholder={t('networks.selectMembers')}
showSearch
options={sysOptions}
/>
</Form.Item>
)
}
return null
}}
</Form.Item>
<Form.Item
label={t('networks.role')}
name="role"
rules={[{ required: true }]}
extra={t('networks.roleHint')}
>
<Select
showSearch
options={(zones ?? []).map(z => ({
value: z.name,
label: z.builtin ? z.name.toUpperCase() : `${z.name.toUpperCase()} (custom)`,
}))}
/>
</Form.Item>
<Form.Item label={t('networks.mtu')} name="mtu">
<InputNumber min={68} max={9216} style={{ width: '100%' }} placeholder="1500" />
</Form.Item>
<Form.Item label={t('networks.description')} name="description">
<Input.TextArea rows={2} />
</Form.Item>
<Form.Item label={t('networks.active')} name="active" valuePropName="checked">
<Switch />
</Form.Item>
</Form>
</Modal>
</div>
)
}

274
management-ui/src/pages/Networks/Routes.tsx Normal file
View File

@@ -0,0 +1,274 @@
import { useState } from 'react'
import {
Button, Card, Form, Input, InputNumber, Modal, Popconfirm, Space, Switch, Table, Tag, Tooltip, Typography, message,
} from 'antd'
import type { ColumnsType } from 'antd/es/table'
import {
EnvironmentOutlined, PlusOutlined, ReloadOutlined,
} from '@ant-design/icons'
import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
import { useTranslation } from 'react-i18next'
import apiClient, { isEnvelope } from '../../api/client'
const { Text } = Typography
interface ManagedRoute {
id: number
destination: string
gateway?: string | null
dev?: string | null
metric: number
table_name: string
active: boolean
comment?: string | null
}
interface LiveRoute {
destination: string
gateway?: string
dev?: string
protocol?: string
scope?: string
src?: string
metric?: number
table?: string
flags?: string[]
}
interface RouteFormValues {
destination: string
gateway?: string
dev?: string
metric: number
table_name: string
active: boolean
comment?: string
}
export default function RoutesTab() {
const { t } = useTranslation()
const qc = useQueryClient()
const managed = useQuery({
queryKey: ['routes', 'managed'],
queryFn: async () => {
const r = await apiClient.get('/routes')
return isEnvelope(r.data) ? (r.data.data as { routes: ManagedRoute[] }).routes : []
},
})
const live = useQuery({
queryKey: ['routes', 'live'],
queryFn: async () => {
const r = await apiClient.get('/routes/live')
return isEnvelope(r.data) ? (r.data.data as { routes: LiveRoute[] }).routes : []
},
refetchInterval: 30_000,
})
const [edit, setEdit] = useState<ManagedRoute | null>(null)
const [creating, setCreating] = useState(false)
const [form] = Form.useForm<RouteFormValues>()
const create = useMutation({
mutationFn: async (v: RouteFormValues) => { await apiClient.post('/routes', v) },
onSuccess: () => {
message.success(t('common.save'))
setCreating(false); form.resetFields()
qc.invalidateQueries({ queryKey: ['routes'] })
},
onError: (e: Error) => message.error(e.message),
})
const update = useMutation({
mutationFn: async ({ id, v }: { id: number; v: RouteFormValues }) => {
await apiClient.put(`/routes/${id}`, v)
},
onSuccess: () => {
message.success(t('common.save'))
setEdit(null); form.resetFields()
qc.invalidateQueries({ queryKey: ['routes'] })
},
onError: (e: Error) => message.error(e.message),
})
const del = useMutation({
mutationFn: async (id: number) => { await apiClient.delete(`/routes/${id}`) },
onSuccess: () => { qc.invalidateQueries({ queryKey: ['routes'] }) },
onError: (e: Error) => message.error(e.message),
})
const managedColumns: ColumnsType<ManagedRoute> = [
{
title: t('routes.col.destination'), dataIndex: 'destination',
render: (v: string) => <Text style={{ fontFamily: 'monospace' }}>{v}</Text>,
},
{
title: t('routes.col.gateway'), dataIndex: 'gateway',
render: (v?: string) => v
? <Text style={{ fontFamily: 'monospace' }}>{v}</Text>
: <Text type="secondary">on-link</Text>,
},
{ title: t('routes.col.dev'), dataIndex: 'dev', width: 110,
render: (v?: string) => v ? <Tag>{v}</Tag> : '—' },
{ title: t('routes.col.metric'), dataIndex: 'metric', width: 80 },
{ title: t('routes.col.table'), dataIndex: 'table_name', width: 90 },
{ title: t('routes.col.active'), dataIndex: 'active', width: 80,
render: (v: boolean) => v ? <Tag color="green">on</Tag> : <Tag>off</Tag> },
{ title: t('routes.col.comment'), dataIndex: 'comment',
render: (v?: string) => v || <Text type="secondary"></Text> },
{
title: t('common.actions'), key: 'a', width: 160,
render: (_, r) => (
<Space size={4}>
<Button size="small" onClick={() => {
setEdit(r)
form.setFieldsValue({
destination: r.destination,
gateway: r.gateway ?? undefined,
dev: r.dev ?? undefined,
metric: r.metric,
table_name: r.table_name,
active: r.active,
comment: r.comment ?? undefined,
})
}}>{t('common.edit')}</Button>
<Popconfirm title={t('routes.confirmDelete', { dest: r.destination })}
onConfirm={() => del.mutate(r.id)}>
<Button size="small" danger>{t('common.delete')}</Button>
</Popconfirm>
</Space>
),
},
]
const liveColumns: ColumnsType<LiveRoute> = [
{ title: t('routes.col.destination'), dataIndex: 'destination',
render: (v?: string) => (
<Text style={{ fontFamily: 'monospace' }}>{v || 'default'}</Text>
) },
{ title: t('routes.col.gateway'), dataIndex: 'gateway',
render: (v?: string) => v
? <Text style={{ fontFamily: 'monospace' }}>{v}</Text>
: <Text type="secondary"></Text> },
{ title: t('routes.col.dev'), dataIndex: 'dev', width: 110,
render: (v?: string) => v ? <Tag>{v}</Tag> : '—' },
{ title: t('routes.col.proto'), dataIndex: 'protocol', width: 110,
render: (v?: string) => v
? <Tag color={v === 'edgeguard' ? 'cyan' : 'default'}>{v}</Tag>
: '—' },
{ title: t('routes.col.scope'), dataIndex: 'scope', width: 90,
render: (v?: string) => v ? <Tag>{v}</Tag> : '—' },
{ title: t('routes.col.src'), dataIndex: 'src', width: 130,
render: (v?: string) => v
? <Text style={{ fontFamily: 'monospace', fontSize: 11 }}>{v}</Text>
: <Text type="secondary"></Text> },
{ title: t('routes.col.metric'), dataIndex: 'metric', width: 80,
render: (v?: number) => v ?? '—' },
]
return (
<div>
<Card
size="small"
title={
<Space>
<EnvironmentOutlined />
{t('routes.liveTitle')}
<Text type="secondary" style={{ fontSize: 12 }}>
({(live.data ?? []).length})
</Text>
</Space>
}
extra={
<Tooltip title={t('routes.refreshTooltip')}>
<Button size="small" icon={<ReloadOutlined />}
loading={live.isFetching}
onClick={() => live.refetch()}>{t('common.refresh')}</Button>
</Tooltip>
}
className="mb-16"
>
<Text type="secondary">{t('routes.liveIntro')}</Text>
<Table
rowKey={(r, idx) => `${r.destination}-${r.dev}-${r.metric}-${idx}`}
size="small"
dataSource={live.data ?? []}
columns={liveColumns}
pagination={{ pageSize: 25, showSizeChanger: true, pageSizeOptions: [25, 50, 100] }}
locale={{ emptyText: t('routes.liveEmpty') }}
style={{ marginTop: 12 }}
/>
</Card>
<Card
size="small"
title={t('routes.managedTitle')}
extra={
<Button type="primary" size="small" icon={<PlusOutlined />}
onClick={() => {
setCreating(true); form.resetFields()
form.setFieldsValue({
metric: 100, table_name: 'main', active: true,
destination: '', gateway: '', dev: '',
})
}}>
{t('routes.add')}
</Button>
}
>
<Text type="secondary">{t('routes.managedIntro')}</Text>
<Table
rowKey="id"
size="small"
loading={managed.isFetching}
dataSource={managed.data ?? []}
columns={managedColumns}
pagination={false}
locale={{ emptyText: t('routes.empty') }}
style={{ marginTop: 12 }}
/>
</Card>
<Modal
title={edit ? t('routes.editTitle') : t('routes.addTitle')}
open={edit !== null || creating}
onCancel={() => { setEdit(null); setCreating(false); form.resetFields() }}
onOk={() => form.submit()}
confirmLoading={create.isPending || update.isPending}
width={560}
>
<Form form={form} layout="vertical"
onFinish={(v) => edit ? update.mutate({ id: edit.id, v }) : create.mutate(v)}>
<Form.Item label={t('routes.col.destination')} name="destination"
rules={[{ required: true }]} extra={t('routes.destExtra')}>
<Input placeholder="10.0.5.0/24" />
</Form.Item>
<Form.Item label={t('routes.col.gateway')} name="gateway"
extra={t('routes.gatewayExtra')}>
<Input placeholder="192.168.1.1" />
</Form.Item>
<Form.Item label={t('routes.col.dev')} name="dev"
extra={t('routes.devExtra')}>
<Input placeholder="ens18" />
</Form.Item>
<Form.Item label={t('routes.col.metric')} name="metric"
extra={t('routes.metricExtra')}>
<InputNumber min={0} max={65535} style={{ width: '100%' }} />
</Form.Item>
<Form.Item label={t('routes.col.table')} name="table_name"
extra={t('routes.tableExtra')}>
<Input placeholder="main" />
</Form.Item>
<Form.Item label={t('routes.col.comment')} name="comment">
<Input.TextArea rows={2} />
</Form.Item>
<Form.Item label={t('routes.col.active')} name="active" valuePropName="checked">
<Switch />
</Form.Item>
</Form>
</Modal>
</div>
)
}

275
management-ui/src/pages/Networks/index.tsx
View File

@@ -1,153 +1,17 @@
import { useState } from 'react' import { Tabs } from 'antd'
import { Button, Card, Form, Input, InputNumber, Modal, Select, Space, Switch, Tag, Tooltip, Typography, message } from 'antd' import { ClusterOutlined } from '@ant-design/icons'
import type { ColumnsType } from 'antd/es/table'
import { ClusterOutlined, PlusOutlined } from '@ant-design/icons'
import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
import { useTranslation } from 'react-i18next' import { useTranslation } from 'react-i18next'
import DataTable from '../../components/DataTable'
import PageHeader from '../../components/PageHeader' import PageHeader from '../../components/PageHeader'
import ActionButtons from '../../components/ActionButtons' import InterfacesTab from './Interfaces'
import StatusDot from '../../components/StatusDot' import RoutesTab from './Routes'
import apiClient, { isEnvelope } from '../../api/client'
interface NetworkInterface {
id: number
name: string
type: 'ethernet' | 'vlan' | 'bond' | 'bridge' | 'wireguard'
parent?: string | null
vlan_id?: number | null
members: string[]
role: string
mtu?: number | null
active: boolean
description?: string | null
created_at: string
updated_at: string
}
interface IfaceFormValues {
name: string
type: NetworkInterface['type']
parent?: string
vlan_id?: number
members?: string[]
role: string
mtu?: number
active: boolean
description?: string
}
interface SystemInterface {
ifname: string
link_type?: string
address?: string
flags?: string[]
addr_info?: Array<{ family: 'inet' | 'inet6'; local: string; prefixlen: number }>
}
async function listInterfaces(): Promise<NetworkInterface[]> {
const r = await apiClient.get('/network-interfaces')
if (!isEnvelope(r.data)) return []
return (r.data.data as { interfaces?: NetworkInterface[] }).interfaces ?? []
}
async function listSystemInterfaces(): Promise<SystemInterface[]> {
const r = await apiClient.get('/system/interfaces')
if (!isEnvelope(r.data)) return []
return (r.data.data as { interfaces?: SystemInterface[] }).interfaces ?? []
}
interface FwZone { id: number; name: string; description?: string | null; builtin: boolean }
async function listZones(): Promise<FwZone[]> {
const r = await apiClient.get('/firewall/zones')
if (!isEnvelope(r.data)) return []
return (r.data.data as { zones?: FwZone[] }).zones ?? []
}
export default function NetworksPage() { export default function NetworksPage() {
const { t } = useTranslation() const { t } = useTranslation()
const qc = useQueryClient()
const { data: ifs, isLoading } = useQuery({ queryKey: ['network-interfaces'], queryFn: listInterfaces }) const tabs = [
const { data: sys } = useQuery({ queryKey: ['system', 'interfaces'], queryFn: listSystemInterfaces, refetchInterval: 60_000 }) { key: 'interfaces', label: t('networks.tabs.interfaces'), children: <InterfacesTab /> },
const { data: zones } = useQuery({ queryKey: ['fw-zones'], queryFn: listZones }) { key: 'routes', label: t('networks.tabs.routes'), children: <RoutesTab /> },
const [editing, setEditing] = useState<NetworkInterface | null>(null)
const [creating, setCreating] = useState(false)
const [form] = Form.useForm<IfaceFormValues>()
const create = useMutation({
mutationFn: async (v: IfaceFormValues) => { await apiClient.post('/network-interfaces', v) },
onSuccess: () => {
message.success(t('common.save'))
setCreating(false); form.resetFields()
void qc.invalidateQueries({ queryKey: ['network-interfaces'] })
},
})
const update = useMutation({
mutationFn: async ({ id, v }: { id: number; v: IfaceFormValues }) => { await apiClient.put(`/network-interfaces/${id}`, v) },
onSuccess: () => {
message.success(t('common.save'))
setEditing(null); form.resetFields()
void qc.invalidateQueries({ queryKey: ['network-interfaces'] })
},
})
const del = useMutation({
mutationFn: async (id: number) => { await apiClient.delete(`/network-interfaces/${id}`) },
onSuccess: () => { void qc.invalidateQueries({ queryKey: ['network-interfaces'] }) },
})
// Stable colour palette for role tags. Builtin zones get a fixed
// colour; custom zones cycle through the palette by name hash so
// the same custom zone always shows up in the same shade.
const PALETTE = ['blue', 'green', 'orange', 'purple', 'magenta', 'cyan', 'gold', 'volcano', 'geekblue']
const FIXED: Record<string, string> = { wan: 'blue', lan: 'green', dmz: 'orange', mgmt: 'purple', cluster: 'magenta' }
const roleColor = (r: string): string => {
if (FIXED[r]) return FIXED[r]
let h = 0
for (let i = 0; i < r.length; i++) h = (h * 31 + r.charCodeAt(i)) >>> 0
return PALETTE[h % PALETTE.length]
}
const columns: ColumnsType<NetworkInterface> = [
{ title: t('networks.name'), dataIndex: 'name', key: 'name', render: (s: string) => <code>{s}</code> },
{ title: t('networks.type'), dataIndex: 'type', key: 'type' },
{
title: t('networks.composition'), key: 'composition',
render: (_, row) => {
if (row.type === 'vlan') return <span><code>{row.parent}</code>.{row.vlan_id}</span>
if (row.type === 'bridge' || row.type === 'bond') {
return <Space size={4} wrap>{(row.members ?? []).map((m) => <Tag key={m}>{m}</Tag>)}</Space>
}
return '—'
},
},
{
title: t('networks.role'), dataIndex: 'role', key: 'role',
render: (r: string) => <Tag color={roleColor(r)}>{r.toUpperCase()}</Tag>,
},
{ title: t('networks.mtu'), dataIndex: 'mtu', key: 'mtu', render: (v?: number) => v ?? '—' },
{ title: t('networks.active'), dataIndex: 'active', key: 'active', render: (v: boolean) => <StatusDot active={v} /> },
{
title: t('common.actions'), key: 'actions',
render: (_, row) => (
<ActionButtons
onEdit={() => {
setEditing(row)
form.setFieldsValue({
name: row.name, type: row.type, parent: row.parent ?? undefined,
vlan_id: row.vlan_id ?? undefined, members: row.members ?? [],
role: row.role,
mtu: row.mtu ?? undefined, active: row.active,
description: row.description ?? undefined,
})
}}
onDelete={() => del.mutate(row.id)}
deleteConfirm={t('networks.deleteConfirm', { name: row.name })}
/>
),
},
] ]
return ( return (
@@ -157,128 +21,7 @@ export default function NetworksPage() {
title={t('networks.title')} title={t('networks.title')}
subtitle={t('networks.intro')} subtitle={t('networks.intro')}
/> />
<Tabs items={tabs} defaultActiveKey="interfaces" />
<Card title={t('networks.systemDiscovered')} className="mb-12" size="small">
<Space wrap>
{(sys ?? []).map((i) => {
const v4 = (i.addr_info ?? []).filter((a) => a.family === 'inet').map((a) => `${a.local}/${a.prefixlen}`)
const v6 = (i.addr_info ?? []).filter((a) => a.family === 'inet6').map((a) => `${a.local}/${a.prefixlen}`)
return (
<Tooltip key={i.ifname} title={[...v4, ...v6].join(' · ') || '—'}>
<Tag>{i.ifname}{v4[0] ? ` · ${v4[0]}` : ''}</Tag>
</Tooltip>
)
})}
{(sys ?? []).length === 0 && <Typography.Text type="secondary"></Typography.Text>}
</Space>
</Card>
<DataTable
rowKey="id"
loading={isLoading}
dataSource={ifs ?? []}
columns={columns}
extraActions={
<Button type="primary" icon={<PlusOutlined />} onClick={() => {
setCreating(true); form.resetFields()
form.setFieldsValue({ type: 'ethernet', role: 'lan', active: true })
}}>
{t('networks.addInterface')}
</Button>
}
/>
<Modal
title={editing ? t('networks.editInterface') : t('networks.addInterface')}
open={editing !== null || creating}
onCancel={() => { setEditing(null); setCreating(false) }}
onOk={() => { void form.submit() }}
confirmLoading={create.isPending || update.isPending}
width={560}
>
<Form
form={form}
layout="vertical"
onFinish={(v) => {
if (editing) update.mutate({ id: editing.id, v })
else create.mutate(v)
}}
>
<Form.Item label={t('networks.name')} name="name" rules={[{ required: true }]}>
<Input placeholder="eth0 / eth0.100 / bond0" />
</Form.Item>
<Form.Item label={t('networks.type')} name="type" rules={[{ required: true }]}>
<Select options={[
{ value: 'ethernet', label: 'ethernet' },
{ value: 'vlan', label: 'vlan' },
{ value: 'bond', label: 'bond' },
{ value: 'bridge', label: 'bridge' },
{ value: 'wireguard',label: 'wireguard' },
]} />
</Form.Item>
<Form.Item noStyle shouldUpdate={(p, c) => p.type !== c.type}>
{({ getFieldValue }) => {
const tp = getFieldValue('type') as NetworkInterface['type'] | undefined
const sysOptions = (sys ?? [])
.filter((i) => i.ifname !== 'lo')
.map((i) => ({ value: i.ifname, label: i.ifname }))
if (tp === 'vlan') {
return (
<>
<Form.Item label={t('networks.parent')} name="parent" rules={[{ required: true }]}>
<Select placeholder={t('networks.selectParent')} showSearch options={sysOptions} />
</Form.Item>
<Form.Item label={t('networks.vlanId')} name="vlan_id" rules={[{ required: true }]}>
<InputNumber min={1} max={4094} style={{ width: '100%' }} />
</Form.Item>
</>
)
}
if (tp === 'bridge' || tp === 'bond') {
return (
<Form.Item
label={t('networks.members')}
name="members"
rules={[{ required: true, type: 'array', min: 1, message: t('networks.membersRequired') }]}
extra={tp === 'bridge' ? t('networks.membersHintBridge') : t('networks.membersHintBond')}
>
<Select
mode="multiple"
placeholder={t('networks.selectMembers')}
showSearch
options={sysOptions}
/>
</Form.Item>
)
}
return null
}}
</Form.Item>
<Form.Item
label={t('networks.role')}
name="role"
rules={[{ required: true }]}
extra={t('networks.roleHint')}
>
<Select
showSearch
options={(zones ?? []).map(z => ({
value: z.name,
label: z.builtin ? z.name.toUpperCase() : `${z.name.toUpperCase()} (custom)`,
}))}
/>
</Form.Item>
<Form.Item label={t('networks.mtu')} name="mtu">
<InputNumber min={68} max={9216} style={{ width: '100%' }} placeholder="1500" />
</Form.Item>
<Form.Item label={t('networks.description')} name="description">
<Input.TextArea rows={2} />
</Form.Item>
<Form.Item label={t('networks.active')} name="active" valuePropName="checked">
<Switch />
</Form.Item>
</Form>
</Modal>
</div> </div>
) )
} }

75
packaging/debian/edgeguard-api/DEBIAN/postinst
View File

@@ -93,6 +93,9 @@ edgeguard ALL=(root) NOPASSWD: /usr/bin/apt-get update
# Backup-Pfad: pg_dump als postgres-User. Whitelist exakt mit # Backup-Pfad: pg_dump als postgres-User. Whitelist exakt mit
# --clean --if-exists --no-owner --no-acl + dem festen DB-Namen. # --clean --if-exists --no-owner --no-acl + dem festen DB-Namen.
edgeguard ALL=(postgres) NOPASSWD: /usr/bin/pg_dump --clean --if-exists --no-owner --no-acl edgeguard edgeguard ALL=(postgres) NOPASSWD: /usr/bin/pg_dump --clean --if-exists --no-owner --no-acl edgeguard
# Static-Routes: API ruft `sudo systemctl restart edgeguard-routes.service`
# nach jedem Mutate, damit das apply-Skript die neue routes.conf anwendet.
edgeguard ALL=(root) NOPASSWD: /usr/bin/systemctl restart edgeguard-routes.service
# Self-Upgrade-Pfad (handlers/system.go → /system/upgrade). Whitelist # Self-Upgrade-Pfad (handlers/system.go → /system/upgrade). Whitelist
# nur die exakte Unit-Form, damit edgeguard NICHT beliebige systemd- # nur die exakte Unit-Form, damit edgeguard NICHT beliebige systemd-
# Units anlegen darf. # Units anlegen darf.
@@ -297,6 +300,78 @@ LOGROTATE
echo "postinst: ulogd2.service not installed — install ulogd2 to enable firewall log" >&2 echo "postinst: ulogd2.service not installed — install ulogd2 to enable firewall log" >&2
fi fi
# ── Static-routes apply-script + systemd unit ────────────────
# Verwaltet aus /etc/edgeguard/routes.conf. `proto edgeguard`
# markiert die Routen damit das flush keine fremden Routen
# tötet (kernel/dhcp/static manuell gesetzt).
cat > /usr/sbin/edgeguard-apply-routes <<'APPLYROUTES'
#!/bin/bash
# Managed by edgeguard — DO NOT EDIT.
# Reads /etc/edgeguard/routes.conf (pipe-format) and applies via ip(8).
set -e
CONF=/etc/edgeguard/routes.conf
# Existierende edgeguard-Routen weg, bevor wir neue setzen. Andere
# Quellen (kernel/dhcp/manuell ohne proto) bleiben intakt.
ip route flush proto 250 2>/dev/null || true
[ -f "$CONF" ] || exit 0
while IFS='|' read -r dest gw dev metric table; do
[ -z "$dest" ] && continue
case "$dest" in '#'*) continue;; esac
args=("$dest")
[ -n "$gw" ] && args+=("via" "$gw")
[ -n "$dev" ] && args+=("dev" "$dev")
[ -n "$metric" ] && args+=("metric" "$metric")
if [ -n "$table" ] && [ "$table" != "main" ]; then
args+=("table" "$table")
fi
args+=("proto" "250")
if ! ip route add "${args[@]}"; then
echo "edgeguard-routes: failed to add: ip route add ${args[*]}" >&2
# weitermachen — eine fehlende Route soll nicht alle anderen
# blockieren.
fi
done < "$CONF"
APPLYROUTES
chmod 0755 /usr/sbin/edgeguard-apply-routes
chown root:root /usr/sbin/edgeguard-apply-routes
# rt_protos-Eintrag für `proto edgeguard` (Symbolname statt
# numerisch). Debian 13 hat /etc/iproute2 nicht als Default,
# also conf.d-Pattern: /etc/iproute2/rt_protos.d/edgeguard.conf
# überlagert die /usr/share/iproute2/rt_protos.
install -d /etc/iproute2/rt_protos.d
echo "250 edgeguard" > /etc/iproute2/rt_protos.d/edgeguard.conf
chmod 0644 /etc/iproute2/rt_protos.d/edgeguard.conf
cat > /etc/systemd/system/edgeguard-routes.service <<'ROUTESUNIT'
[Unit]
Description=EdgeGuard static-routes apply
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/edgeguard-apply-routes
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
ROUTESUNIT
systemctl daemon-reload
systemctl enable edgeguard-routes.service >/dev/null 2>&1 || true
# Initialer Apply — leere /etc/edgeguard/routes.conf ist ok
# (Skript exitet einfach ohne irgendwas zu tun).
systemctl start edgeguard-routes.service 2>/dev/null || true
# Initialer Stub damit `cat` im Skript nicht klagt
if [ ! -f /etc/edgeguard/routes.conf ]; then
: > /etc/edgeguard/routes.conf
chown "$EG_USER":"$EG_USER" /etc/edgeguard/routes.conf
fi
# ── Self-signed default cert so HAProxy starts cleanly ─────── # ── Self-signed default cert so HAProxy starts cleanly ───────
# HAProxy `bind :443 ssl crt /etc/edgeguard/tls/` needs at least # HAProxy `bind :443 ssl crt /etc/edgeguard/tls/` needs at least
# one PEM in the directory to come up. Operator runs certbot # one PEM in the directory to come up. Operator runs certbot